ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
MFA • Entra ID • Legacy Authentication

The MFA Was On… Just Not Everywhere

A practical reminder that MFA only protects what it actually covers. When legacy authentication, exclusions or forgotten service accounts remain in scope, attackers look for those open paths first.

This is a common weakness in identity and access security in Microsoft Entra ID, where enforcement gaps matter more than configuration intent.

Discuss your environment Back to briefings
Agent Foskett Friday Cyber Briefings
Briefing summary

The client was not wrong — MFA existed. But it was not consistently enforced everywhere it needed to be.

Legacy auth still active
Exclusions still in place
Password spray activity seen

What happened

Coverage gaps matter more than intention.
MFA was presentOn paper, the tenant had MFA enabled and appeared to be in a stronger state than many others.
The missing coverage Legacy authentication was still enabled, some temporary exclusions remained, and service accounts had never been properly documented or protected.

This is exactly where gaps in identity and access controls are exploited first.
Lesson learned MFA is only effective where it is actually enforced. Attackers do not look for the locked doors — they look for the one that was forgotten.

This is where security operations visibility helps uncover gaps before they are exploited.

Related investigations

DMARC Fail Emails Find emails where authentication failed but delivery still occurred. Read more →
Spoofed Sender Domains Detect mismatched sender domains and potential spoofing attempts. Read more →
KQL Threat Hunting Guide Full investigation playbook across Defender, identity and endpoint. Read more →
Not sure MFA is really enforced everywhere?
GEMXIT helps review Entra ID, legacy authentication and Conditional Access coverage to close practical gaps.

MFA only works when it’s applied consistently across all access paths. 👉 Secure your identity environment properly

Contact GEMXIT
ACSC Logo  GEMXIT PTY LTD   GEMXIT UK LTD   © GEMXIT 2026

Agent Foskett The MFA Was On Just Not Everywhere

This Agent Foskett cyber briefing covers MFA gaps, legacy authentication, service account exposure and password spray risk in Microsoft Entra ID environments.

It focuses on the difference between MFA being present and MFA being fully enforced.